10/11/14

Exploring Microsoft's "Azure" - setting up an IPsec VPN.

I need to explore Microsoft's Azure cloud services.  Azure offers on-demand SSTP VPN access and/or always-on IPsec VPN access for $27/month.  I want the latter.  At my work, we'd use a Sonicwall router for the IPsec VPN, but I'd like to test this out on a lower budget.  The Cisco RV110 ($67) would work, but then I realized it could be done for free with the pfSense open source firewall software.

Step one was to buy a USB-to-Ethernet adapter that has drivers for Hyper-V Server 2012 R2 ($12).  The setup.exe ran just fine on the Hyper-V server.  Created a virtual "external" Hyper-V switch, not shared with the management OS, single-root SR-IOV enabled, for the WAN.  Used "Legacy NICs" for compatibility purposes...they top out at 100Mbps, which is fine for my 15/5Mbps cable link.

The pfSense's setup wizard is case sensitive if you enable MAC address spoofing and type in a MAC (it wants lower case).  If you go this route, also enable MAC spoofing on the Hyper-V NIC.

The pfSense WAN interface had a hard time obtaining a DHCP lease from the cable modem.  Eventually I rebooted the cable modem (again) and then traffic started flowing.

Enabling DHCP on the LAN interface unexpectedly disabled access to the web GUI (couldn't even ping the LAN interface), so rebooted the pfSense and it still didn't work.  Needed to choose option 8 at the console (shell access) and typed ifconfig de1 down...then ifconfig de1 up...that fixed it...then I was able to access the web GUI and saw the WAN interface had no IP, so clicked the "Renew" button and then it got its DHCP lease OK from the cable modem.

OK, now I had reached the point where I'd have been 5 minutes after bringing home a router from the store!

To setup the IPsec VPN link, followed this outstanding tutorial.  However, I didn't follow it exactly - I enabled dynamic routing in the Azure gateway...and that's not compatible with pfSense...so deleted the gateway and recreated it with static routing per the tutorial...connected OK now.  Lastly, edited the firewall rules in pfSense to allow all traffic in/out of the VPN.

I'd spun up a domain controller in Azure and now assigned a static IP address to it....which promptly disabled my access because you're not allowed to do that in Azure - every virtual machine must have a DHCP lease in Azure.  Oops! 

There's no console access to Azure virtual machines as of this writing (October, 2014), so if you can't RDP into your virtual machine, here are your options (I used option 1):

1. Delete the VM, retaining the VHD(s).  Recreate it with the original VHD(s).
2. Use Powershell to download the VHD, boot it in a local Hyper-V session, fix it, upload it.

I've learned what the DNS section of each virtual network is for - because your virtual machines must use DHCP assigned addresses...and you don't have access to the Azure DHCP server, this is where you specify the DNS server(s) that you want the Azure DHCP server to issue to your virtual machines.  You can type in any DNS server that you want.